Newsletters
The Enterprise Security Supersite NewsFactor Sites:       NewsFactor.com     Enterprise Security Today     CRM Daily     Business Report     Sci-Tech Today  
   
This ad will display for the next 20 seconds. Click for more information, or
Home Network Security Viruses & Malware Cybercrime Security Solutions More Topics...
APC Free White Paper
Optimize your network investment &
Enter to win a Samsung Galaxy Note

www.apc.com
Mobile Security
Next Generation Data Center Is Here!
Average Rating:
Rate this article:  
Android Master Key Vulnerability Exploited in Two Apps
Android Master Key Vulnerability Exploited in Two Apps

By Seth Fitzgerald
July 24, 2013 10:39AM

Bookmark and Share
When Symantec first wrote about the Android "master key" flaw, which was identified by startup Bluebox Security, Google automatically released a patch to protect devices. While the patch protects Nexus devices, manufacturers still have to push out updates to non-Nexus phones, which could take months.
 


Symantec researchers say the first known use of the Android "master key" vulnerability has been found in the wild. Two applications distributed on unofficial Android marketplaces in China were found to be using the exploit.

When Symantec's team first discussed the vulnerability earlier this month, which was identified by startup Bluebox Security, they said they expected attackers to exploit it quickly because of its ease-of-use. They appear to have been right on the mark.

The two applications discovered in the marketplace were legitimate apps which are meant to help people find and make doctor appointments, however an attacker seems to have added code to the apps in order to make them exploit the Android master key vulnerability.

The Exploit

Both of the previously legitimate applications have been infected with additional code which allows the hacker to remotely control devices, access data, send premium SMS messages, and disable security features.

By using this vulnerability, the hacker modified the applications by adding a new classes.dex file which contains the code, as well as a new manifest file which specifies permissions.

The attackers ability to send out premium texts is one of the most concerning aspects of the exploit. Each premium text that is sent out because of this code will incur a charge, although all of the fees will be directed to the attacker and not to the carrier.

Difficulty Updating

When Symantec first announced that they had discovered this type of flaw, Google automatically released a patch which would protect devices. Even though the patch prevents Nexus devices against attacks, manufacturers still have to push out updates with the patch to non-Nexus phones.

The process of sending out updates can sometimes take months, no matter how important the update is to a device. Millions of Android devices either never receive updates or they receive very few updates, resulting in continuous vulnerabilities to many different attacks.

This type of delay has been one of the major criticisms of Android especially recently, and has resulted in many people praising Apple because of how fast and easily it is able to push out security updates to all of their devices.

Many users are now demanding that carriers and phone manufacturers find a new way of receiving and pushing out important security-based updates. Although design changes require a lot of custom tailoring to individual phones, security updates should take far less time to distribute.

Protecting Your Device

Since it could take months for a security update to be implement on all Android phones, there are a few ways to protect your device from attacks like this one.

Simply downloading Norton Security antivirus should keep any infected applications from harming your device. Another alternative is the Bluebox Security Scanner, which should also provide the necessary protection.

Users with a Nexus or Samsung device will have already had the patch sent out to their phone, but taking these precautions is important for users with any other type of device.
 

Tell Us What You Think
Comment:

Name:



APC has an established a reputation for solid products that virtually pay for themselves upon installation. Who has time to spend worrying about system downtime? APC makes it easy for you to focus on business growth instead of business downtime with reliable data center systems and IT solutions. Learn more here.


 Mobile Security
1.   Data Recovered from 'Wiped' Phones
2.   Anti-Spying Blackphone Starts Shipping
3.   Android, Win Phone To Get Kill Switch
4.   Report: Spyware on Chinese Phone
5.   BlackBerry BBM Boosts Security


advertisement
Data Recovered from 'Wiped' Phones
Android 'factory reset' is inadequate.
Average Rating:
Anti-Spying Blackphone Starts Shipping
Development result of NSA revelations.
Average Rating:


advertisement
Product Information and Resources for Technology You Can Use To Boost Your Business

Network Security Spotlight
Canadian Government Charges China With Cyberattack
The government of Canada is not happy with China. Canadian officials have accused "a highly sophisticated Chinese state-sponsored actor" of launching a cyberattack on its National Research Council.
 
Researchers Working To Fix Tor Security Exploit
Developers for the Tor privacy browser are scrambling to fix a bug revealed Monday that researchers say could allow hackers, or government surveillance agencies, to track users online.
 
Wall Street Journal Hacked Again
Hacked again. That’s the story at the Wall Street Journal this week as the newspaper reports that the computer systems housing some of its news graphics were breached. Customers not affected -- yet.
 

Enterprise Hardware Spotlight
Apple Updates MacBook Pros, Cuts Prices Up to $100
The popular MacBook Pro laptop line just got an update and a price cut of as much as $100. The MacBook Pro with Retina display now includes faster processors and double the memory.
 
Dell, BlackBerry Not Sweating Apple-IBM Alliance
IBM's recent move to partner with Apple to sell iPhones and iPads loaded with corporate applications has excited investors in both companies, but two rivals say they are unperturbed for now.
 
Watson Gets His First Customer Service Gig
Since appearing on Jeopardy, IBM's Watson supercomputer has been making a living using his super-intelligent knowledge base for business verticals. Now, Watson's been hired for his first customer service job.
 

Mobile Technology Spotlight
Virgin Mobile Offers Custom Smartphone Plans
As the wireless carrier wars continue heating up, Virgin Mobile just threw the customization coal onto the fire. The firm has debuted a no-annual-contract plan with rates based on individual use.
 
Collaboration Provider Asana Revamps Mobile App
Asana, a collaboration software provider started by a Facebook founder, is now out with a rebuilt native iOS mobile app. It replaces one that even the company admits was not up to par.
 
Android 'Fake ID' Puts Millions of Users at Risk
Having this fake ID is nothing to brag about, even if you are a minor. The “Fake ID” Android flaw drops malware into smartphone apps. It can steal credit card data and even take over your device.
 

Navigation
Enterprise Security Today
Home/Top News | Network Security | Viruses & Malware | Cybercrime | Security Solutions | Mobile Security | Disaster Recovery | Windows Security
Data Security | EST Press Releases
NewsFactor Network Enterprise I.T. Sites
NewsFactor Technology News | Enterprise Security Today | CRM Daily

NewsFactor Business and Innovation Sites
Sci-Tech Today | NewsFactor Business Report

NewsFactor Services
FreeNewsFeed | Free Newsletters

About NewsFactor Network | How To Contact Us | Article Reprints | Careers @ NewsFactor | Services for PR Pros | Top Tech Wire | How To Advertise

Privacy Policy | Terms of Service
© Copyright 2000-2014 NewsFactor Network. All rights reserved. Article rating technology by Blogowogo. Member of Accuserve Ad Network.